src/hb-buffer-private.hh | 11 +++++++++++ src/hb-buffer.cc | 8 ++++++++ src/hb-ot-shape.cc | 6 ++++++ test/fuzzing/Makefile.am | 2 ++ 4 files changed, 27 insertions(+)
New commits: commit 4301703bddb63a01651a0d58474bb15ac0ebbcf6 Author: Behdad Esfahbod <beh...@behdad.org> Date: Thu Nov 5 23:44:59 2015 -0800 Limit buffer max size growth https://github.com/behdad/harfbuzz/issues/161 diff --git a/src/hb-buffer-private.hh b/src/hb-buffer-private.hh index 721e718..8d9ae7c 100644 --- a/src/hb-buffer-private.hh +++ b/src/hb-buffer-private.hh @@ -35,6 +35,16 @@ #include "hb-unicode-private.hh" +#ifndef HB_BUFFER_MAX_EXPANSION_FACTOR +#define HB_BUFFER_MAX_EXPANSION_FACTOR 32 +#endif +#ifndef HB_BUFFER_MAX_LEN_MIN +#define HB_BUFFER_MAX_LEN_MIN 8192 +#endif +#ifndef HB_BUFFER_MAX_LEN_DEFAULT_ +#define HB_BUFFER_MAX_LEN_DEFAULT 0x3FFFFFFF /* Shaping more than a billion chars? Let us know! */ +#endif + ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20); ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t)); @@ -71,6 +81,7 @@ struct hb_buffer_t { hb_buffer_cluster_level_t cluster_level; hb_codepoint_t replacement; /* U+FFFD or something else. */ hb_buffer_scratch_flags_t scratch_flags; /* Have space-flallback, etc. */ + unsigned int max_len; /* Maximum allowed len. */ /* Buffer contents */ hb_buffer_content_type_t content_type; diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc index f690769..5c71734 100644 --- a/src/hb-buffer.cc +++ b/src/hb-buffer.cc @@ -91,6 +91,11 @@ hb_buffer_t::enlarge (unsigned int size) { if (unlikely (in_error)) return false; + if (unlikely (size > max_len)) + { + in_error = true; + return false; + } unsigned int new_allocated = allocated; hb_glyph_position_t *new_pos = NULL; @@ -715,6 +720,8 @@ hb_buffer_create (void) if (!(buffer = hb_object_create<hb_buffer_t> ())) return hb_buffer_get_empty (); + buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT; + buffer->reset (); return buffer; @@ -740,6 +747,7 @@ hb_buffer_get_empty (void) HB_BUFFER_CLUSTER_LEVEL_DEFAULT, HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT, HB_BUFFER_SCRATCH_FLAG_DEFAULT, + HB_BUFFER_MAX_LEN_DEFAULT, HB_BUFFER_CONTENT_TYPE_INVALID, HB_SEGMENT_PROPERTIES_DEFAULT, diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc index c4c1c7f..09e98b7 100644 --- a/src/hb-ot-shape.cc +++ b/src/hb-ot-shape.cc @@ -798,6 +798,11 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c) { c->buffer->deallocate_var_all (); c->buffer->scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT; + if (likely (!_hb_unsigned_int_mul_overflows (c->buffer->len, HB_BUFFER_MAX_EXPANSION_FACTOR))) + { + c->buffer->max_len = MAX (c->buffer->len * HB_BUFFER_MAX_EXPANSION_FACTOR, + (unsigned) HB_BUFFER_MAX_LEN_MIN); + } /* Save the original direction, we use it later. */ c->target_direction = c->buffer->props.direction; @@ -827,6 +832,7 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c) c->buffer->props.direction = c->target_direction; + c->buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT; c->buffer->deallocate_var_all (); } diff --git a/test/fuzzing/Makefile.am b/test/fuzzing/Makefile.am index 5bd6921..22e7a12 100644 --- a/test/fuzzing/Makefile.am +++ b/test/fuzzing/Makefile.am @@ -39,6 +39,8 @@ hb_fuzzer_CPPFLAGS = \ -DMAIN \ -DHB_MAX_NESTING_LEVEL=3 \ -DHB_SANITIZE_MAX_EDITS=3 \ + -DHB_BUFFER_MAX_EXPANSION_FACTOR=3 \ + -DHB_BUFFER_MAX_LEN_MIN=8 \ $(NULL) -include $(top_srcdir)/git.mk _______________________________________________ HarfBuzz mailing list HarfBuzz@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/harfbuzz